SagiBarOr wrote: > Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a > partial proxy. We call it "split authentication". One Freeradius server is > doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free > Radius server. > This works just fine. > When we try to do the same when the second server (which does the MS CHAP v2 > authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the > authentication fails. The connection is refused becasue of bad username or > pwd.
The debug logs you posted show no such reject. > My question to the forum: although thesystem with 2 FR servers works fine, > can it be that there an issue with the MS CHAP v2 proxy, and only becasue > the second radius is also Free radius, then it tolarates it? My $0.02 is that FreeRADIUS implements the specs correctly. It proxies MS-CHAP as MS-CHAP, without any butchering of the packets. > I know it is a weird request to look for somthing non std or wrong in logs > of a susscessful session, but I still try my luck. Any lead can help. This disagrees with what you said earlier. If the connection is refused, you should not see a successful session. Which one is it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
